Abstract: The U.S. has no comprehensive national law governing cybersecurity and no uniform framework for measuring the effectiveness of protections, though retirement plan record keepers maintain the personally identifiable information on millions of workers. Plan sponsors frequently engage consultants and attorneys to help them secure sensitive data, but more work is necessary to engage a larger discussion around this issue. The SPARK Institute has outlined a flexible approach for an independent third-party reporting of cyber security capabilities with several key control objectives.

Abstract: Retirement plans are a relatively new frontier for cyber fraud, but many in the industry say that such heists are becoming more common. Retirement plans have yet to be the target of the kind of system-wide hacks that make headlines, such as the Equifax breach last year. Still, hackers are getting ever-more sophisticated in their approaches.

Abstract: Cybersecurity risks, such as phishing techniques, malware and ransomware attacks, facing employee benefit plans are no different than those facing corporations, and in fact, may be even more significant. As a plan sponsor and those charged with governance, you have a responsibility with respect to management and oversight of the plan, including understanding risks to the plan, even risks of cyberattacks.

Abstract: The best way to secure plan participants' information and assets is to establish an effective cybersecurity strategy. Organizational policies and training will ensure cybersecurity understanding and consistent practices across the board. The most effective cybersecurity strategy includes both a prevention plan as well as a response plan of action against a breach.

Abstract: Cybersecurity fraud was once a problem reserved for the largest government agencies, credit card companies and banks. However, as these organizations have hardened their security capabilities, fraudsters have shifted their focus to the next tier of banks, as well as financial firms that play in the brokerage, retirement and insurance spaces. Many of these firms are now scrambling to learn from the big banks and quickly implement similar or next generation cybersecurity methods and capabilities.

Abstract: This article outlines reasons employers should consider obtaining cyber insurance, protections that a plan should include, possible drawbacks, and best practices for finding the plan with the appropriate coverage.

Abstract: While hacking is nothing new, the pace of large-scale cyberattacks has accelerated significantly. More worrisome for many plan sponsors, the focus of cyberattacks in the defined contribution world has shifted from hardened targets like recordkeepers and custodians to plan sponsors, which often lack the extensive cybersecurity defenses of their vendors.

Abstract: One of the most difficult challenges for plan sponsors is determining where to start in their efforts to defend against increasingly sophisticated cyber attacks. This article is designed to assist plan sponsors with formulating and executing their strategy to protect their information and their assets.

Abstract: This article discusses whether retirement plans are really at risk and, if so, why. It concludes with some helpful hints and practical advice to reduce cybersecurity risks, some of which are tips employers can share with retirement plan participants.

Abstract: Employee benefit plans rely on a variety of service providers to administer benefits. Those providers maintain a plethora of participant data and protect plan assets for the benefit of participants. When a plan is attacked, the fallout can be overwhelmingly expensive and burdensome to correct. Many plan sponsors are purchasing cyber liability insurance coverage to supplement their data security measures. Understanding those policies -- and their exclusions -- is important for sponsors who are exploring such coverage.

Abstract: The advent of electronic banking, plan administration, and account information access make it possible for cyber criminals to plunder assets, absent protections. Experts at the recent 2018 SPARK Institute National Conference held in National Harbor, MD addressed online threats to financial assets -- virtual, but also very real.

Abstract: Benefit plans are uniquely susceptible to cyber-risks because they store large amounts of sensitive employee information and share it with multiple third parties. This 5-minute podcast discusses cybersecurity issues impacting employee benefit plans. It reviews the developing legal framework in cybersecurity and outline practical tips that plan sponsors and recordkeepers may use to secure plan data.

Abstract: This 8-page document was prepared by the EBPAQC to help plan auditors understand cybersecurity risk in employee benefit plans, and to discuss cybersecurity risk, responsibilities, preparedness, and response with plan clients.

Abstract: The U.S. retirement model has become of increasing interest to foreign hackers, typically the perpetrators of large-scale data breaches. However, companies, plan sponsors and plan participants are unaware or underprepared for the ramifications of a cyberattack, experts warn.

Abstract: Retirement plans are notorious targets for these attacks because they involve a high volume of sensitive information that is invaluable to criminals with malicious intent. Plan participant and financial information is generally shared with many different parties, making it more vulnerable to such threats. This article discusses current risks as well as some useful tips for protecting plan participants' information.

Abstract: Data security is a major concern for all organizations. There are many elements involved in protecting your own employees’ and your clients’ personally identifiable information. Conducting a self-assessment and developing your organization’s internal policies are a good starting point. But it is important to recognize that the job of data protection will never be complete; there will always be new items to add to your security to-do list.

Abstract: There is no explicit cybersecurity duty that applies to consultants under ERISA. Despite this, plan consultants need to become educated on the cybersecurity landscape surrounding plans, in order to assist plan sponsor clients in fulfilling their fiduciary duties.

Abstract: Cybersecurity is a topic that is routinely grabbing headlines across industries, and employee benefit plans are not immune to the risks of cybercrime. The best efforts to reduce these risks are multi-faceted approaches to protecting sensitive information, with employers, their plan participants, and their benefit providers all working in tandem to safeguard personal data.

Abstract: Despite constant advances in available cybersecurity measures, there is no such thing as perfect security, and companies must be prepared to respond to a significant cybersecurity incident at a moment's notice. This article describes some key steps companies can take to respond to a cybersecurity incident in a swift, efficient, and effective manner.

Abstract: Only 27% of RIAs surveyed by TD Ameritrade suggest that cybersecurity issues, even when very broadly defined, are likely to impact client portfolios during 2018; experts suggest this is just wishful thinking.

Abstract: Failure to deal with cybersecurity issues could be a fiduciary breach under these rules and fiduciaries could have personal liability for the resulting losses, for example, if hackers are able to steal plan assets or fraudulently obtain distributions online by pretending to be participants. Participants whose personal accounts are hacked might also have claims against fiduciaries who failed to protect their data.

Abstract: The industry-led project, called Sheltered Harbor, already is known to back up data for savings and checking accounts. But quietly, it's wrapping in data on retail brokerage accounts at some of the nation's largest firms, according to participants. And ultimately, the goal is to expand it to an even heftier pool of 401k accounts and pension funds, whose breach could upend global markets.

Abstract: Being fiduciaries under ERISA, retirement plan officials are tasked with monitoring and managing cybersecurity risk as they invest participant dollars. As outlined in a new report from Corporate Insight, "Trends in Online Security: 1996 to Today," this is no simple task, and it has grown markedly more complex in the last two decades as the role of big data technology has ramped up in the retirement industry.

Abstract: A stolen identity, a few clicks, and there it is, a handsome retirement plan balance, ripe for the picking. If only someone had done something to prevent it all. A recent blog entry offers some ideas on how to do that, as does the IRS.

Abstract: Identity theft and related crimes are on the rise, and they can have a devastating impact on employer-sponsored 401k plans. Plans can have very large balances compared to other cyber targets such as bank accounts, and therefore, have become quite attractive to cyber criminals. Cybercrime related to retirement plans can occur because of threats such as phishing, ransomware, "social engineering," and wire transfer fraud, among others.

Abstract: As cybersecurity threats increase, so should plan fiduciary efforts to combat these threats. Fiduciaries can work with service providers to strengthen existing protections and can work internally to create and document procedures that demonstrate prudent process.

Abstract: The loss of employee personal information due to a cyber breach is an ever-increasing concern to all employers. No organization or industry is immune from cyber threats, including benefit plan sponsors and plan service providers. This article analyzes cybersecurity issues for retirement plans.

Abstract: While many cyber threats have special names, your retirement plan's data may be most at risk from common things an employees do every day that put themselves at risk for identity theft. It is those common things, discarding paperwork with personal information, postings on various websites and other information that can be available in the public domain that identity thieves may use to gain access to an individual employee's retirement plan account. Retirement plan accounts have been stolen by identity theft in several incidents.

Abstract: Some employers delegate the two fiduciary roles that approve cash disbursements (from their 401k plan) to their provider. In the author's view, this outsourcing of fiduciary authority makes a 401k plan more vulnerable to cybertheft.

Abstract: Cybersecurity attorney and former SEC staffer Marlon Paz suggests it is absolutely essential for advisory firms to have a senior executive "not just appointed but also empowered" as the chief information security risk officer.

Abstract: Cybersecurity is a special concern for the financial industry, a lawyer who handles cybersecurity cases said recently. But its importance goes well beyond the integrity of clients' and plan participants' sensitive information, it pervades inter-corporate business functions as well.

Abstract: When most plan participants think about security involving their retirement plan, they are typically thinking along the lines of financial security and how their investments perform. However, like other financial institutions, retirement accounts are subject to cyber threats that could threaten users' privacy and other account information.

Abstract: Cyberattacks -- including incidents of ransomware -- are making headlines almost daily. Because employee health and retirement plans are often top targets, HR professionals should take precautions to defend against these assaults, especially since breaches can also result in penalties and fines.

Abstract: With trillions of dollars in assets to safeguard, the retirement services industry is now intensely focused on the issue of cybersecurity. This article provides three tips retirement plan participants use to protect their retirement savings.

Abstract: Given the continuing need for plans to adopt ever-greater levels of technology for administrative efficiency, the risk of inadvertent disclosure of personal information is escalating. Regardless of the investment made in protecting systems and data transmissions, plans remain vulnerable to human error and malicious or criminal actions.

Abstract: There have been numerous instances of high-profile cybercrime cases over the past couple of years spurring lively discussions in the ERISA community about the potential threat this type of crime poses to plan assets and personal data of plan participants and beneficiaries.

Abstract: The SEC published a Risk Alert regarding the "WannaCry" ransomware worm that infected hundreds of thousands of computers in over 150 nations earlier this month. The Alert provides background and resources and additionally highlighted cybersecurity best practices.

Abstract: There has been a recent spike in attacks on 401k and retirement plans by cyber criminals. A data breach is a disruptive event. For plan fiduciaries, there are several factors that create heightened risk.

Abstract: Many employers historically were only concerned with privacy and security for health plans under the Health Insurance Portability and Accountability Act and state laws. However, cybersecurity should also be a consideration for every retirement plan fiduciary. To preserve fiduciary protection while making required disclosures electronically, retirement plan fiduciaries should consider whether their duties of loyalty, prudence and to administer the plan for the exclusive benefit of the participants might require them to protect their participants' personal information.

Abstract: Cybersecurity is a special concern for the financial industry, a lawyer who handles cybersecurity cases said recently. But its importance goes well beyond the integrity of clients' and plan participants' sensitive information, it pervades inter-corporate business functions as well.

Abstract: It's not really new that cybersecurity is a concern for employers. But it shouldn't be ignored, especially in the context of retirement plans, since plan participants' personal and financial information is maintained and shared by multiple parties.

Abstract: Many employers historically were only concerned with privacy and security for health plans under the privacy regulations. However, there are other references to protecting participant information in ERISA and employee information that should not be overlooked. Cybersecurity should be a consideration for every employer and retirement plan fiduciary.

Abstract: One of the most significant challenges that face employee benefit plans is the reliance on service providers to manage daily activities of the plan. As a result, employee benefit plans typically share sensitive employee data and beneficiary and employer information with these service providers. Based upon historical cybersecurity breaches, third parties can be considered the weakest cybersecurity link.

Abstract: Defined contribution service providers generally have cybersecurity insurance when they take on recordkeeping and other duties, but DC plan sponsors themselves are more likely to be lacking such coverage. There is no legal requirement for plan sponsors or service providers to have cyber insurance, but it's best practice.

Abstract: Cybersecurity issues are not really unique in defined contribution. Hackers are getting smarter and are getting better at decrypting. DC plans need to get smarter overall in protecting online sites like banking and DC portals. But there are specific issues to defined contribution plans when it comes to cybersecurity.

Abstract: 401k plan fiduciaries have an obligation to secure and keep private the personally identifiable information of plan participants and beneficiaries. Part of this essential task is ensuring that plan service providers take cybersecurity preparedness and plan data protection seriously.

Abstract: With the increasing threat to organizations from data breaches, HR plays a critical role in helping prevent and minimize the risk from cyber theft. This 21-minute podcast addresses how to identify potential cybersecurity problems, workforce challenges in data protection, and the use of policies, training and employee education that are designed to protect private and sensitive data.

Abstract: Recent technological advancements, especially in the area of cybersecurity, have only now become the focus of most ERISA fiduciaries. Due to the increasing frequency and sophistication of cyber-related threats to employee benefit plans, their trustees and third-party plan administrators and the potential financial repercussions, compliance with ERISA fiduciary standards will require implementation of a prudent cyber risk management strategy. This article is dedicated to understanding cybersecurity issues in the context of ERISA benefit programs.

Abstract: The 2016 ERISA Advisory Council is gathering to study ways to encourage benefit plan sponsors and managers to adopt strategies that minimize the exposure of plan participants' data from cyber-attack. This article touches on what the Council is considering

Abstract: In an era when costly cyberattacks and data breaches are becoming more common, 401k plan advisers are beginning to scrutinize data-security practices at recordkeeping firms. RK clients also have heightened concerns about securing the personal data of their employees.

Abstract: Data breaches are also causing benefit plan administrators and other fiduciaries under ERISA to consider whether their ERISA responsibilities include securing online plan data from cyberattacks, especially as to 401k and other benefit plans that are not subject to HIPAA. Although definitive guidance has not been provided, fiduciaries would be well-advised to proceed on the assumption that cybersecurity is an ERISA issue.

Abstract: Retirement plans store extensive personal data on each participant and beneficiary. This data ranges from Social Security numbers and addresses to dates of birth, bank account and financial information, and other records and is stored physically and in electronic forms for years, if not decades. Retirement plan fiduciaries must take precautions to help ensure that they have fulfilled their fiduciary duties with respect to data privacy and cybersecurity.

Abstract: In order to minimize a retirement plan's overall cyber risk profile, its sponsor(s) must implement a cyber risk management strategy, including focusing on evaluating its third-party service providers' cybersecurity programs, performing periodic assessments of such programs, and ensuring that the retirement plan has mitigated risks from losses in the event of a cyber attack.

Source: Pillsburylaw.com, February 2016

401khelpcenter.com, LLC is not the author of the material referenced in this digest unless specifically noted. The material referenced was created, published, maintained, or otherwise posted by institutions or organizations independent of 401khelpcenter.com, LLC. 401khelpcenter.com, LLC does not endorse, approve, certify, or control this material and does not guarantee or assume responsibility for the accuracy, completeness, efficacy, or timeliness of the material. Use of any information obtained from this material is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, efficacy, and timeliness. Reference to any specific commercial product, process, or service by trade name, trademark, service mark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by 401khelpcenter.com, LLC.